We called it: “The culprit is going to get caught soon“. There looked to be too many breadcrumbs in Germany’s recent devastating data dump, which included personal chat logs and details on nearly 1,000 politicians, including Chancellor Angela Merkel.
Now Germany’s BKA (the country’s federal police agency) say a 20-year-old German hacker has confessed to the hack, saying they have arrested the student who reportedly lives with his parents in the Central Hesse county. He appears to have acted alone.
“The defendant stated that he acted out of annoyance over public statements made by the politicians, journalists and public figures concerned” the BKA said
German Hacker Caught: BKA Says Confession Taken
“Investigations have so far revealed no evidence of third party participation” the BKA added in a German-language release, saying the man had “comprehensively acknowledged the allegations against him and provided information on his own offenses”. He was subsequently released due to a “lack of grounds for detention”.
If confirmed in court, the confession may prove an embarrassment to the no-small-number of cybersecurity companies who emailed Computer Business Review after the hack, immediately pointing the finger at Russian APT groups, with no apparent forensic evidence (we declined to publish these claims, absent any evidence*).
Early evidence suggested social engineering attacks on a limited number of German politicians had exposed social media and Outlook logins that had been used to move laterally through systems, although this has yet to be confirmed.
(While this appear to have been some major and highly embarrassing leaks, despite the data volumes, other detail on many of the politicians was thin and appeared to have been collated from publicly available sources.)
He has been released on the condition that he does not leave his parents’ house and continues to cooperate, the Guardian reports, citing Georg Ungefug, a spokesman for the central office for fighting internet crime in Wiesbaden, who described him as having “extensive knowledge of computers”, with no official qualifications, but in possession of “considerable interest and a lot of time” to carry out his attack.
The leaks were made with strenuous effort to ensure they were not immediately removed, with thousands of mirrors to ensure online resilience – but analysis also showed that the hacker had struggled for some time to gain attention for the hack and had deleted thousands of tweets and likes prior to the data dump, archived versions of which pointed to a German national, perhaps with a gamer background.
*We acknowledge the rampant activity of Russian threat actors. We like to see evidence though. See also: Russians in your Router: Unprecedented Joint Technical Alert from UK and US Intelligence